Description

Host - Fedora 18 64 bit
Bios has Secure Boot enabled.

When I try to start any machine it says:

Kernel driver not installed (rc=-1908)
The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing
'/etc/init.d/vboxdrv setup'
as root. If it is available in your distribution, you should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.

Change History

[user@localhost ~]$ sudo virtualbox
[sudo] password for user:
WARNING: The vboxdrv kernel module is not loaded. Either there is no module
available for the current kernel (3.8.2-206.fc18.x86_64) or it failed to
load. Please recompile the kernel module and install it by
sudo /etc/init.d/vboxdrv setup
You will not be able to start VMs until this problem is fixed.

If I build my own kernel with signed modules, I have the key, dkms builds the virtualbox modules on my laptop which has the kernel source and my signing key.
Can you enhance the dkms script to use /usr/src/linux-xxx/signing_key.* and sign the modules if those files are present?

I applied the following workaround for Ubuntu Bionic (18.04). I'm sure it'll also work for Artful (17.10) and Zesty (17.04). Possibly even further back in time. This is based on systemd's RequiredBy capability. Please note that you'll need to have MOK keys already created and enrolled, otherwise there won't be anything to sign the modules with.

First, create the following systemd unit as /etc/systemd/system/ensure-vboxdrv-signed.service:

All that said, grafting a modified version of the above code into the '/usr/lib/virtualbox/vboxdrv.sh' script to be executed during module installation (check to see if signed, if not then sign) and compilation (sign immediately after compiling) would also do the trick.

Another solution could be to port the entire thing to DKMS and leverage the existing infrastructure, but that's probably far too much work at this point (which is likely why it hasn't been done).

So, for now, you can use the above workaround. This should work fine in other Linux distributions that also use systemd and mokutil. Please note that the path that the service unit needs to be created in may change for different Linux distributions.

Part of the problem is that any automatic way to sign kernel modules is probably only marginally safer than disabling signing altogether. Of course, it is hard to say for sure, just as it is hard to say for sure how much security benefit signing modules even provides, particularly on a desktop system.

This is fixed for Ubuntu as of the current 6.0 and trunk test builds<1>. The reason it was possible to do it for Ubuntu is that they already provide a mechanism of their own for use with DKMS modules. The problems I mentioned in my last comment still apply, but since Ubuntu has decided to provide this themselves this was their decision not ours.

A suggestion for anyone who wants this fixed for other host distributions: ask your distributions to provide a mechanism we can use. If the mechanism is compatible with Ubuntu's one then it will be automatically supported, as we only check for the mechanism, not the distribution.

Unfortunately, you have completely broken this for Fedora SecureBoot users.

The unconditional "return 0" on line 280 of https://www.virtualbox.org/changeset/79186/vbox means that the modules will not even be compiled. This leaves us Fedora users, who are quite capable of signing kernel modules, with nothing to sign.

It would be far better, if it's not a Debian/Ubuntu environment, for the code to complete as previously, regardless of the SecureBoot status of the system and a simple, warning to be printed.

I have been manually applying the following patch to vboxdrv.sh to do the post-compile module signing on Fedora 2x & 3x versions. Now, the above changes have crippled any chance of this working.

After further testing, my problem is the same as #14, except that my computer has the correct files. The problem is that (for whatever reason) it's not enrolled, cutting me off with the same unconditional "return 0".

Yes. Indeed, I have a some issue with drivers of virtualbox 6.0.10. I solved the updated issue of linux-headers for VBox 6.0.10 but I am problem with drivers. The OS I using is Ubuntu 18.04 Bionic at x64.How must I proceed? The virtualBox open, compile but not running. My hardware architecture is a Intel i5 with UEFI.

~$ vitualbox

WARNING: The vboxdrv kernel module is not loaded. Either there is no module available for current kernel (4.18.0-25-generic) or it failed load. Please recomplile the kernel module install it by

sudo/sbin/vboxconfig

You will not able to start VMs untill this problem fixed.

However, the VBox open but did not running host ISO.Thus, whenever I did type the instruction:

In the interface of VBox show the other one joint that information - you're use EFI SECURE BOOT. Yes, indeed, it onboard my architecture. The news architectures are coming with this UEFI secure boot. But I did try off that and the VBox following reporting me about Error: KERNEL DRIVE NOT INSTALLED (rc=1908)

The ticket says that this is specifically fixed for recent Ubuntu and Debian10 installations, it doesn't cover everything. Does OpenSUSE provide the infrastructure required, as this was laid out by 'michael' on comments 10 and especially 12?

This is fixed for Ubuntu as of the current 6.0 and trunk test builds. The reason it was possible to do it for Ubuntu is that they already provide a mechanism of their own for use with DKMS modules. The problems I mentioned in my last comment still apply, but since Ubuntu has decided to provide this themselves this was their decision not ours.

A suggestion for anyone who wants this fixed for other host distributions: ask your distributions to provide a mechanism we can use. If the mechanism is compatible with Ubuntu's one then it will be automatically supported, as we only check for the mechanism, not the distribution.

I think I would count this as the same problem if the system is using secure boot and the kernel modules now fail to build, and if removing the two "return 0" lines from /sbin/rcvboxdrv as pointed out in zardoz's patch fix the problem.

I experienced the already mentioned problem that after upgrade to 6.0.10 (via apt full-upgrade) and also after dpkg-reconfigure virtualbox-6.0 there where no vbox* kernel modules anymore.

Commenting the return 0 in /usr/lib/virtualbox/vboxdrv.sh line 280 helped me out in that the script at least compiled the kernel modules. Since I already had some module signing script in place and using it for months I was not interested in fixing this part of vboxdrv.sh.

Here is a slightly other situation: I am running a vanilla Ubuntu 18.04 with Secure Boot enabled in BIOS. This is a stock Ubuntu kernel and I have *not* set up anything for signing self compiled modules, and I don't *want* to do that unless I'm forced to. VirtualBox installed from official repo just worked out-of-the box until 6.0.8, and with those changes in 6.0.10 it tried to force me into creating and enrolling signing keys.

The problem seems to be that vboxdrv.sh only checks the output of "mokutil --sb-state" to decide if it needs to create/enroll a key and kmodsign the modules. In my case mokutil prints "SecureBoot enabled", but everything is working fine *without* signing! I think vboxdrv.sh needs to check something else in addition to "mokutil --sb-state" to make sure it is *really* neccessary to mess around with UEFI variables.

I fixed that by moving the "return 0" from line 280 to line 493, right before the signing procedure. BTW, that "update-secureboot-policy --new-key" curses tool has *no* way to cancel. Had to kill it manually.

I effectively reverted https://www.virtualbox.org/changeset/79186/vbox and everything is working fine for me. Don't need self signed modules and don't want them. Especially since it does not provide any significant security benefit when the key is right there on the target system...

The module signing tool to be run at a build. Two arguments will be passed to the signing tool. The first argument is the target kernel version, the second is the module file path. If the tool exits with a non-zero value, the build will be aborted.